QUESTION 291 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. One of the domain controllers is named DC1. The DNS zone for the contoso.com zone is Active Directory-integrated and has the default settings. A server named Server1 is a DNS server that runs a UNIX-based operating system. You plan to use Server1 as a secondary DNS server for the contoso.com zone. You need to ensure that Server1 can host a secondary copy of the contoso.com zone. What should you do?

A. From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the contoso.com zone as a target. B. From DNS Manager, modify the Security settings of DC1 C. From DNS Manager, modify the replication scope of the contoso.com zone D. From DNS Manager, modify the Advanced settings of DC1.

Answer: A Explanation: Set-DnsServerPrimaryZone Changes settings for a DNS primary zone. Applies To: Windows Server 2012 R2 The Set-DnsServerPrimaryZone cmdlet changes settings for an existing Domain Name System (DNS) primary zone. You can change values that are relevant for either Active Directory-integrated zones or file-backed zones. Examples of parameters include: / -NotifyServers<IPAddress[]> Specifies an array of IP addresses of secondary DNS servers that the DNS master server notifies of changes to resource records. You need this parameter only if you selected the value NotifyServers for the Notify parameter. / -Notify<String> Specifies how a DNS master server notifies secondary servers of changes to resource records. The acceptable values for this parameter are: — NoNotify. The zone does not send change notifications to secondary servers. — Notify. The zone sends change notifications to all secondary servers. — NotifyServers. The zone sends change notifications to some secondary servers. If you choose this option, specify the list of secondary servers in the NotifyServers parameter. Reference: Set-DnsServerPrimaryZone

QUESTION 292 Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain. You need to create NAP event trace log files on a client computer. What should you run?

QUESTION 293 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table. Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an application pool named WebApp1. WebApp1 uses a group Managed Service Account named gMSA1 as its identity. Domain users connect to Web1 by using either the name Web1.contoso.com or the alias myweb.contoso.com. You discover the following: – When the users access Web1 by using Web1.contoso.com, they authenticate by using Kerberos. – When the users access Web1 by using myweb.contoso.com, they authenticate by using NTLM. You need to ensure that the users can authenticate by using Kerberos when they connect by using myweb.contoso.com. What should you do?

A. Run the Add-ADComputerServiceAccount cmdlet. B. Modify the properties of the gMSA1 service account. C. Modify the properties of the Web1 website. D. Run the Install-ADServiceAccount cmdlet.

Answer: D Explanation: * Install-ADServiceAccount Installs an Active Directory service account on a computer. * The Install-ADServiceAccount cmdlet installs an existing Active Directory service account on the computer on which the cmdlet is run. This cmdlet verifies that the computer is eligible to host the service account. The cmdlet also makes the required changes locally so that the service account password can be periodically reset by the computer without requiring any user action. * Managed service accounts and virtual accounts are two new types of accounts introduced in Windows Server 2008 R2/2012 and Windows 7/8 to enhance the service isolation and manageability of network applications such as Microsoft SQL Server and Internet Information Services (IIS). * If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but this strategy requires additional administration and complexity. In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service. Two new types of accounts available in Windows Server 2008 R2 and Windows 7–the managed service account and the virtual account–are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts. Reference: Service Accounts Step-by-Step Guide

QUESTION 294 Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers. The domain controllers are configured as shown in the following table. Active Directory Recycle Bin is enabled. You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago. You need to restore the membership of Group1. What should you do?

Answer: C Explanation: Active Directory provides a mechanism for restoring a tombstone back into a normal object. This is effectively an undelete function for deleted objects. The function is a specially formed LDAP modify operation that must include two specific attribute modifications: it must remove the isDeleted attribute (not just set it to FALSE) and it must move the object to another container by changing the object’s distinguishedName. The new distinguishedName typically (but not necessarily) uses the lastKnownParent attribute as the container and keeps the same RDN minus the \0ADEL:<objectGUID> component that Active Directory added when it created the tombstone. Note: * When deleting an object, Active Directory will not actually delete that object immediately (in most cases) but rather it will keep it for a period of time as a tombstone object. This means it will remove some of its attributes, add the isDeleted=True attribute, and place the object in the Deleted Object container. * Tombstone reanimation (which has nothing to do with zombies) provides the only way to recover deleted objects without taking a DC offline, and it’s the only way to recover a deleted object’s identity information, such as its objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL) references, which contain the objectSid of the deleted object. Just keep in mind that tombstone reanimation does have its own limitations, which I will discuss, so you’ll still want to keep authoritative restores in your box of tricks. * Restoring an object in Active Directory Recycle Bin to Restore A Deleted Object In the management console, go to Tools > Active Directory Administrative Center Click the Deleted Objects folder Search the list of deleted objects for the object that needs to be restored. Right-click the selected object and select Restore from the shortcut menu. Reference: Step-By-Step: Utilizing Active Directory Recycle Bin to Restore A Deleted Object QUESTION 295 Sometimes its important to remove an RODC from your forest or domain. However, its important that you follow a simple rule whilst removing RODC’s. What is this rule?

A. All RODC’s must be detached before removing a final writable domain controller B. All writable domain controllers must be removed before RODC’s can be detached C. Your forest must only consist of RODC’s if you want to remove them D. There are no rules for removing RODC’s

Answer: A Explanation: After researching this and using logic, we need a writable DC for a RODC to exist, therefore we have to remove all RODC’s before removing the last writable DC.

QUESTION 296 DNS record types come in many forms, but which record type is being described below? Maps a domain name such as www.google.com to an IP address

A. A B. CNAME C. MX D. PTR

Answer: A

QUESTION 297 In Windows Server 2012 R2, you can remove the Server Graphical Shell, resulting in the “Minimal Server Interface.” This is similar to a Server with a GUI installation except that some features are not installed. Which of the following features is not installed in this scenario?

Answer: B Explanation: When you choose the minimal server interface option Internet Explorer 10, Windows Explorer, the desktop, and the Start screen are not installed. Microsoft Management Console (MMC), Server Manager, and a subset of Control Panel are still present.

QUESTION 298 Which of the following features is available when Windows Server 2012 R2 is installed using the GUI option but without the desktop experience feature installed?

A. Metro-style Start screen B. Built-in help system C. All of these D. Windows Media Player

QUESTION 299 You are a network administrator of an Active Directory domain named contoso.com. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server role and the Network Policy Server role service installed. You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1. You need to create a DHCP policy that willApply to all of the NAP non-compliant DHCP clients. Which criteria should you specify when you create the DHCP policy?

QUESTION 300 You have a server named Server1 that runs Windows Server 2012 R2. You create a custom Data Collector Set (DCS) named DCS1. You need to configure Server1 to start DCS1 automatically when the network usage exceeds 70 percent. Which type of data collector should you create?